Vulnerabilities / Threats

01:02 PM

Ransomware Pays: FBI Updates Reveton Malware Warning

Latest malware, trying to trick users into paying a fine, claims the FBI is using audio, video, and other devices to record computer's "illegal" activity.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Can people pay a fine online, avoid the threat of prosecution by the FBI, and unlock their locked PC all in one go?

That's the offer made by a "Threat of Prosecution Reminder" that's been flashing on numerous PC screens, which says that the FBI has locked the PC after finding evidence that the computer has been used to access child pornography or other illegal content. The latest version of this notice says that "all activity on this computer is being recorded using audio, video, and other devices." But users are offered a way to pay the related fine being levied, immediately unlock their PC, and see the whole matter immediately dismissed.

The warning, however, is just a setup. "This is not a legitimate communication from the IC3, but rather is an attempt to extort money from the victim," according to an advisory released last week by the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center. "If you have received this or something similar do not follow payment instruction."

[ How effective is anti-virus software? Antivirus Tool Fail: Blocking Success Varies By 58%. ]

The extortion part of the scam -- now also featured on the FBI's list of e-scams -- is facilitated by a malicious application known as Reveton, which according to antivirus vendor F-Secure "fraudulently claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a 'fine' must be paid to restore normal access." Machines are typically infected with Reveton via malicious websites -- using drive-by download attacks launched by Citadel crimeware -- rather than being introduced via phishing attacks or malicious email attachments.

"To unlock the computer, the user is instructed to pay a fine using prepaid money card services," according to the IC3. "The geographic location of the user's PC determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud."

Don't pay the bogus fine, but do seek help when removing Reveton. "Manual disinfection is a risky process; it is recommended only for advanced users," says F-Secure. If a PC has been infected, also don't rely on any antivirus software that's already been installed, as "some variants of [Reveton] may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection," states a Microsoft malware advisory.

Numerous Reveton-driven ransomware campaigns have been seen this year, localized not just for residents of the United States but also for Finland, Ireland, Germany, and other parts of Europe. The FBI previously released an alert about the Reveton malware in August, with IC3 manager Donna Gregory saying, "We're getting inundated with complaints," and noting that fine payments of $200 didn't seem to be uncommon.

Given the FBI's new warning, PC users obviously haven't been getting the message about the scam. The latest version of Reveton also contains a variation on the previous social-engineering attack. "In addition to instilling a fear of prosecution, this version of the malware also claims that the user's computer activity is being recorded using audio, video, and other devices," according to the IC3.

Unfortunately, any PC infected with Reveton faces further problems, as the malware is delivered by the Citadel malware toolkit, which does in fact include the ability to record whatever users are doing on their PC screen, typically for the purposes of committing "online banking and credit card fraud," according to the IC3.

The latest version of the Russian-language Citadel malware, unveiled earlier this month, includes other advanced capabilities too, such as grabbing passwords from Firefox and Chrome, or using Web injection to modify code on targeted websites, potentially allowing them to trick users into divulging their log-in credentials. Citadel is one of a number of well-known financial malware crimeware toolkits, such as Blackhole, Crisis, SpyEye and Zeus, which include command-and-control software that allows the botmaster to easily relay data from compromised, or zombie machines. The compromised machines can also be used as relays in spam networks or nodes in a larger distributed denial-of-service campaign.

Why do criminals bother with ransomware? Simply put, because such attacks seem to pay. Symantec security researchers Gavin O'Gorman and Geoff McDonald recently studied 68,000 PCs that had been compromised by ransomware in the space of a month, and found that attackers' haul could have been $400,000. One recent 18-day Reveton attack, meanwhile, had attempted to infect 500,000 PCs. "Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million a year is being extorted from victims," wrote the researchers in a related report. "The real number is, however, likely much higher."

Faster networks are coming, but security and monitoring systems aren't necessarily keeping up. Also in the new, all-digital Data Security At Full Speed special issue of InformationWeek: A look at what lawmakers around the world are doing to add to companies' security worries. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/17/2012 | 8:26:54 AM
re: Ransomware Pays: FBI Updates Reveton Malware Warning
Keeping up on list of IT scams I am sure would help you in a situation like this. Sounds like nasty malware tough, allowing its self to monitor audio and video, and even pull your browser passwords and such. It did not really go int o detail abut how to get rid of it, is there a easier way or should I say free way or do I have to pay a fee somewhere to have it removed, ironic huh?

Paul Sprague
InformationWeek Contributor
Threat Intel: Finding Balance in an Overcrowded Market
Kelly Sheridan, Staff Editor, Dark Reading,  4/23/2018
Coviello: Modern Security Threats are 'Less About the Techniques'
Kelly Sheridan, Staff Editor, Dark Reading,  4/24/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.